/*
 *  Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 *  Copyright (C) 2007-2013 Sourcefire, Inc.
 *
 *  Authors: Trog, Török Edvin
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2 as
 *  published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *  MA 02110-1301, USA.
 */

#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <string.h>
#include <ctype.h>
#ifndef _WIN32
#include <netinet/in.h>
#endif

#include "clamav.h"
#include "others.h"
#include "special.h"
#include "matcher.h"

/* NOTE: Photoshop stores data in BIG ENDIAN format, this is the opposite
	to virtually everything else */

#define special_endian_convert_16(v) be16_to_host(v)
#define special_endian_convert_32(v) be32_to_host(v)

int cli_check_mydoom_log(cli_ctx *ctx)
{
    const uint32_t *record;
    uint32_t check, key;
    fmap_t *map         = *ctx->fmap;
    unsigned int blocks = map->len / (8 * 4);

    cli_dbgmsg("in cli_check_mydoom_log()\n");
    if (blocks < 2)
        return CL_CLEAN;
    if (blocks > 5)
        blocks = 5;

    record = fmap_need_off_once(map, 0, 8 * 4 * blocks);
    if (!record)
        return CL_CLEAN;
    while (blocks) { /* This wasn't probably intended but that's what the current code does anyway */
        if (record[--blocks] == 0xffffffff)
            return CL_CLEAN;
    }

    key   = ~be32_to_host(record[0]);
    check = (be32_to_host(record[1]) ^ key) +
            (be32_to_host(record[2]) ^ key) +
            (be32_to_host(record[3]) ^ key) +
            (be32_to_host(record[4]) ^ key) +
            (be32_to_host(record[5]) ^ key) +
            (be32_to_host(record[6]) ^ key) +
            (be32_to_host(record[7]) ^ key);
    if ((~check) != key)
        return CL_CLEAN;

    key   = ~be32_to_host(record[8]);
    check = (be32_to_host(record[9]) ^ key) +
            (be32_to_host(record[10]) ^ key) +
            (be32_to_host(record[11]) ^ key) +
            (be32_to_host(record[12]) ^ key) +
            (be32_to_host(record[13]) ^ key) +
            (be32_to_host(record[14]) ^ key) +
            (be32_to_host(record[15]) ^ key);
    if ((~check) != key)
        return CL_CLEAN;

    return cli_append_virus(ctx, "Heuristics.Worm.Mydoom.M.log");
}

static int jpeg_check_photoshop_8bim(cli_ctx *ctx, off_t *off)
{
    const unsigned char *buf;
    uint16_t ntmp;
    uint8_t nlength, id[2];
    uint32_t size;
    off_t offset = *off;
    int retval;
    fmap_t *map = *ctx->fmap;

    if (!(buf = fmap_need_off_once(map, offset, 4 + 2 + 1))) {
        cli_dbgmsg("read bim failed\n");
        return -1;
    }
    if (memcmp(buf, "8BIM", 4) != 0) {
        cli_dbgmsg("missed 8bim\n");
        return -1;
    }

    id[0] = (uint8_t)buf[4];
    id[1] = (uint8_t)buf[5];
    cli_dbgmsg("ID: 0x%.2x%.2x\n", id[0], id[1]);
    nlength = buf[6];
    ntmp    = nlength + ((((uint16_t)nlength) + 1) & 0x01);
    offset += 4 + 2 + 1 + ntmp;

    if (fmap_readn(map, &size, offset, 4) != 4) {
        return -1;
    }
    size = special_endian_convert_32(size);
    if (size == 0) {
        return -1;
    }
    if ((size & 0x01) == 1) {
        size++;
    }

    *off = offset + 4 + size;
    /* Is it a thumbnail image: 0x0409 or 0x040c */
    if ((id[0] == 0x04) && ((id[1] == 0x09) || (id[1] == 0x0c))) {
        /* Yes */
        cli_dbgmsg("found thumbnail\n");
    } else {
        /* No - Seek past record */
        return 0;
    }

    /* Jump past header */
    offset += 4 + 28;

    retval = cli_check_jpeg_exploit(ctx, offset);
    if (retval == 1) {
        cli_dbgmsg("Exploit found in thumbnail\n");
    }
    return retval;
}

static int jpeg_check_photoshop(cli_ctx *ctx, off_t offset)
{
    int retval;
    const unsigned char *buffer;
    off_t old;
    fmap_t *map = *ctx->fmap;

    if (!(buffer = fmap_need_off_once(map, offset, 14))) {
        return 0;
    }

    if (memcmp(buffer, "Photoshop 3.0", 14) != 0) {
        return 0;
    }
    offset += 14;

    cli_dbgmsg("Found Photoshop segment\n");
    do {
        old    = offset;
        retval = jpeg_check_photoshop_8bim(ctx, &offset);
        if (offset <= old)
            break;
    } while (retval == 0);

    if (retval == -1) {
        retval = 0;
    }
    return retval;
}

int cli_check_jpeg_exploit(cli_ctx *ctx, off_t offset)
{
    const unsigned char *buffer;
    int retval;
    fmap_t *map = *ctx->fmap;

    cli_dbgmsg("in cli_check_jpeg_exploit()\n");
    if (ctx->recursion > ctx->engine->maxreclevel)
        return CL_EMAXREC;

    if (!(buffer = fmap_need_off_once(map, offset, 2)))
        return 0;
    if ((buffer[0] != 0xff) || (buffer[1] != 0xd8)) {
        return 0;
    }
    offset += 2;
    for (;;) {
        off_t new_off;
        if (!(buffer = fmap_need_off_once(map, offset, 4))) {
            return 0;
        }
        /* Check for multiple 0xFF values, we need to skip them */
        if ((buffer[0] == 0xff) && (buffer[1] == 0xff)) {
            offset++;
            continue;
        }
        offset += 4;
        if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {
            if (buffer[2] == 0x00) {
                if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {
                    return 1;
                }
            }
        }
        if (buffer[0] != 0xff) {
            return -1;
        }
        if (buffer[1] == 0xda) {
            /* End of Image marker */
            return 0;
        }

        new_off = ((unsigned int)buffer[2] << 8) + buffer[3];
        if (new_off < 2) {
            return -1;
        }
        new_off -= 2;
        new_off += offset;

        if (buffer[1] == 0xed) {
            /* Possible Photoshop file */
            ctx->recursion++;
            retval = jpeg_check_photoshop(ctx, offset);
            ctx->recursion--;
            if (retval != 0)
                return retval;
        }
        offset = new_off;
    }
}

static uint32_t riff_endian_convert_32(uint32_t value, int big_endian)
{
    if (big_endian)
        return be32_to_host(value);
    else
        return le32_to_host(value);
}

static int riff_read_chunk(fmap_t *map, off_t *offset, int big_endian, int rec_level)
{
    uint32_t cache_buf;
    char *buffer;
    const uint32_t *buf;
    uint32_t chunk_size;
    off_t cur_offset = *offset;

    if (rec_level > 1000) {
        cli_dbgmsg("riff_read_chunk: recursion level exceeded\n");
        return 0;
    }

    if (!(buf = fmap_need_off_once(map, cur_offset, 4 * 2)))
        return 0;
    cur_offset += 4 * 2;

    buffer = (char *)buf;
    memcpy(&cache_buf, buffer + sizeof(cache_buf),
           sizeof(cache_buf));
    chunk_size = riff_endian_convert_32(cache_buf, big_endian);

    if (!memcmp(buf, "anih", 4) && chunk_size != 36)
        return 2;

    if (memcmp(buf, "RIFF", 4) == 0) {
        return 0;
    } else if (memcmp(buf, "RIFX", 4) == 0) {
        return 0;
    }

    if ((memcmp(buf, "LIST", 4) == 0) ||
        (memcmp(buf, "PROP", 4) == 0) ||
        (memcmp(buf, "FORM", 4) == 0) ||
        (memcmp(buf, "CAT ", 4) == 0)) {
        if (!fmap_need_ptr_once(map, buf + 2, 4)) {
            cli_dbgmsg("riff_read_chunk: read list type failed\n");
            return 0;
        }
        *offset = cur_offset + 4;
        return riff_read_chunk(map, offset, big_endian, ++rec_level);
    }

    *offset = cur_offset + chunk_size + (chunk_size & 1);
    if (*offset < cur_offset) {
        return 0;
    }
    /* FIXME: WTF!?
	if (lseek(fd, offset, SEEK_SET) != offset) {
		return 2;
	}
	*/
    return 1;
}

int cli_check_riff_exploit(cli_ctx *ctx)
{
    const uint32_t *buf;
    int big_endian, retval;
    off_t offset;
    fmap_t *map = *ctx->fmap;

    cli_dbgmsg("in cli_check_riff_exploit()\n");

    if (!(buf = fmap_need_off_once(map, 0, 4 * 3)))
        return 0;

    if (memcmp(buf, "RIFF", 4) == 0) {
        big_endian = FALSE;
    } else if (memcmp(buf, "RIFX", 4) == 0) {
        big_endian = TRUE;
    } else {
        /* Not a RIFF file */
        return 0;
    }

    if (memcmp(&buf[2], "ACON", 4) != 0) {
        /* Only scan MS animated icon files */
        /* There is a *lot* of broken software out there that produces bad RIFF files */
        return 0;
    }

    offset = 4 * 3;
    do {
        retval = riff_read_chunk(map, &offset, big_endian, 1);
    } while (retval == 1);

    return retval;
}

static inline int swizz_j48(const uint16_t n[])
{
    cli_dbgmsg("swizz_j48: %u, %u, %u\n", n[0], n[1], n[2]);
    /* rules based on J48 tree */
    if (n[0] <= 961 || !n[1])
        return 0;
    if (n[0] <= 1006)
        return (n[2] > 0 && n[2] <= 6);
    else
        return n[1] <= 10 && n[2];
}

void cli_detect_swizz_str(const unsigned char *str, uint32_t len, struct swizz_stats *stats, int blob)
{
    unsigned char stri[4096];
    size_t i, j = 0;
    int bad       = 0;
    int lastalnum = 0;
    uint8_t ngrams[17576];
    uint16_t all = 0;
    uint16_t ngram_cnts[3];
    uint16_t words = 0;
    int ret;

    stats->entries++;
    for (i = 0; (i < (size_t)len - 1) && (j < sizeof(stri) - 2); i += 2) {
        unsigned char c = str[i];
        if (str[i + 1] || !c) {
            bad++;
            continue;
        }
        if (!isalnum(c)) {
            if (!lastalnum)
                continue;
            lastalnum = 0;
            c         = ' ';
        } else {
            lastalnum = 1;
            if (isdigit(c))
                continue;
        }
        stri[j++] = tolower(c);
    }
    stri[j++] = '\0';
    if ((!blob && (bad >= 8)) || j < 4)
        return;
    memset(ngrams, 0, sizeof(ngrams));
    memset(ngram_cnts, 0, sizeof(ngram_cnts));
    for (i = 0; i < j - 2; i++) {
        if (stri[i] != ' ' && stri[i + 1] != ' ' && stri[i + 2] != ' ') {
            uint16_t idx = (stri[i] - 'a') * 676 + (stri[i + 1] - 'a') * 26 + (stri[i + 2] - 'a');
            if (idx < sizeof(ngrams)) {
                ngrams[idx]++;
                stats->gngrams[idx]++;
            }
        } else if (stri[i] == ' ')
            words++;
    }
    for (i = 0; i < sizeof(ngrams); i++) {
        uint8_t v = ngrams[i];
        if (v > 3) v = 3;
        if (v) {
            ngram_cnts[v - 1]++;
            all++;
        }
    }
    if (!all)
        return;
    cli_dbgmsg("cli_detect_swizz_str: %u, %u, %u\n", ngram_cnts[0], ngram_cnts[1], ngram_cnts[2]);
    /* normalize */
    for (i = 0; i < sizeof(ngram_cnts) / sizeof(ngram_cnts[0]); i++) {
        uint32_t v    = ngram_cnts[i];
        ngram_cnts[i] = (v << 10) / all;
    }
    ret = swizz_j48(ngram_cnts) ? CL_VIRUS : CL_CLEAN;
    if (words < 3) ret = CL_CLEAN;
    cli_dbgmsg("cli_detect_swizz_str: %s, %u words\n", ret == CL_VIRUS ? "suspicious" : "ok", words);
    if (ret == CL_VIRUS) {
        stats->suspicious += j;
        cli_dbgmsg("cli_detect_swizz_str: %s\n", stri);
    }
    stats->total += j;
}

static inline int swizz_j48_global(const uint32_t gn[])
{
    if (gn[0] <= 24185) {
        return gn[0] > 22980 && gn[8] > 0 && gn[8] <= 97;
    }
    if (!gn[8]) {
        if (gn[4] <= 311) {
            if (!gn[4]) {
                return gn[1] > 0 &&
                       ((gn[0] <= 26579 && gn[3] > 0) ||
                        (gn[0] > 28672 && gn[0] <= 30506));
            }
            if (gn[5] <= 616) {
                if (gn[6] <= 104) {
                    return gn[9] <= 167;
                }
                return gn[6] <= 286;
            }
        }
        return 0;
    }
    return 1;
}

int cli_detect_swizz(struct swizz_stats *stats)
{
    uint32_t gn[10];
    uint32_t all = 0;
    size_t i;
    int global_swizz = CL_CLEAN;

    cli_dbgmsg("cli_detect_swizz: %lu/%lu, version:%d, manifest: %d \n",
               (unsigned long)stats->suspicious, (unsigned long)stats->total,
               stats->has_version, stats->has_manifest);
    memset(gn, 0, sizeof(gn));
    for (i = 0; i < 17576; i++) {
        uint8_t v = stats->gngrams[i];
        if (v > 10) v = 10;
        if (v) {
            gn[v - 1]++;
            all++;
        }
    }
    if (all) {
        /* normalize */
        cli_dbgmsg("cli_detect_swizz: gn: ");
        for (i = 0; i < sizeof(gn) / sizeof(gn[0]); i++) {
            uint32_t v = gn[i];
            gn[i]      = (v << 15) / all;
            if (cli_debug_flag)
                fprintf(stderr, "%lu, ", (unsigned long)gn[i]);
        }
        global_swizz = swizz_j48_global(gn) ? CL_VIRUS : CL_CLEAN;
        if (cli_debug_flag) {
            fprintf(stderr, "\n");
            cli_dbgmsg("cli_detect_swizz: global: %s\n", global_swizz ? "suspicious" : "clean");
        }
    }

    if (stats->errors > stats->entries || stats->errors >= SWIZZ_MAXERRORS) {
        cli_dbgmsg("cli_detect_swizz: resources broken, ignoring\n");
        return CL_CLEAN;
    }
    if (stats->total <= 337)
        return CL_CLEAN;
    if (stats->suspicious << 10 > 40 * stats->total)
        return CL_VIRUS;
    if (!stats->suspicious)
        return CL_CLEAN;
    return global_swizz;
}
